CrushFTP warned prospects of an unauthenticated HTTP(S) port entry vulnerability and urged them to patch their servers instantly.
As the corporate additionally defined in an electronic mail despatched to prospects on Friday (seen by BleepingComputer), the safety flaw allows attackers to realize unauthenticated entry to unpatched servers if they’re uncovered on the Web over HTTP(S).
“Please take rapid motion to patch ASAP. A vulnerability has been addressed right now (March twenty first, 2025). All CrushFTP v11 variations had been affected. (No earlier variations are affected.) A CVE will likely be generated quickly,” the corporate warned.
“The underside line of this vulnerability is that an uncovered HTTP(S) port may result in unauthenticated entry. The vulnerability is mitigated In case you have the DMZ characteristic of CrushFTP in place.”
Whereas the e-mail says this vulnerability solely impacts CrushFTP v11 variations, an advisory issued on the identical day says that each CrushFTP v10 and v11 are impacted, as cybersecurity firm Rapid7 first famous.
As a workaround, those that cannot instantly replace CrushFTP v11.3.1+ (which fixes the flaw) can allow the DMZ (demilitarized zone) perimeter community possibility to guard their CrushFTP occasion till safety updates might be deployed.
In accordance with Shodan, over 3,400 CrushFTP cases have their internet interface uncovered on-line to assaults, though BleepingComputer could not decide what number of have already been patched.
In April 2024, CrushFTP additionally launched safety updates to patch an actively exploited zero-day vulnerability (CVE-2024-4040) that allowed unauthenticated attackers to flee the person’s digital file system (VFS) and obtain system recordsdata.
On the time, cybersecurity firm CrowdStrike discovered proof pointing to an intelligence-gathering marketing campaign, probably politically motivated, with the attackers concentrating on CrushFTP servers at a number of U.S. organizations.
CISA added CVE-2024-4040 to its Identified Exploited Vulnerabilities catalog, ordering U.S. federal businesses to safe susceptible servers on their networks inside per week.
In November 2023, CrushFTP prospects had been additionally warned to patch a crucial distant code execution vulnerability (CVE-2023-43177) within the firm’s enterprise suite after Converge safety researchers who reported the flaw launched a proof-of-concept exploit three months after the flaw was addressed.
File switch merchandise like CrushFTP are engaging targets for ransomware gangs, particularly Clop, which was linked to information theft assaults concentrating on zero-day vulnerabilities in MOVEit Switch, GoAnywhere MFT, Accelion FTA, and Cleo software program.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how one can defend towards them.